andi wrote:

Hi fellow developers!

Because of a recent spamming of my Wiki, I'd like to discuss Anti-Spam technologies with you. I'm interested in what technologies you use and how well they work.

What other methods do you use? What's your experience with CAPTCHAs?

Andi

Hi,

there are 2 things: "automatic spam" and "manual spam".

For automatic spam CAPTCHAs might be good but there are bots that can read them to some extent. If a spambot author considers writing a bot for your engine worth it - he will do it. Personally I am also using cookie tokens (that also prevents "session riding") that might help against bots.

For both manual and automatic spam I am thinking about implementing some kind of Bayesian filtering and have been experimenting wih DSPAM for the purpose of Wiki. Hard rules are not good alone.

It would be very nice to create a service similar to http://akismet.com/ that would check if the difference between 2 versions of the document can be considered spam. This could work as a web service and eventually make us (developers of all the wiki engines, admin and users) all happy ;-)

I would also encourage building mechanisms that makes it easier for users to mark spam revisions.

good luck! michal

update: I have just checked with Akismet and it is possible to use it not only with blogs - there are many libraries to support it (http://akismet.com/development/). In my spare time I will try to test it with Wikis too.

Last edited by michal_frackowiak (2006-10-18 14:33:19)

Wiki spam is a growing problem on public wiki sites. Actually, it is not isolated to wikis; any website that can be updated by users is a potential target for spam, such as blogs and bulletin boards. What can you do as an administrator of a public wiki site?

* Rule number one: Enable spam protection.
* Rule number two: Remove spam as quickly as possible when it happens. Reason: Spammers identify easy targets by searching sites for known spam keywords. It pays off to spam sites where spam survives long enough for search engines to pick up the content.

Public TWiki sites are spam targets for some time already; it is discussed on TWiki.org. I can see in the twiki.org logs that there are many failed spam attacks every day. TWiki has a BlackListPlugin that is quite effective in fighting spam. The Plugin gets updated every time a new spam twist is discovered, such as an HTML redirect obfuscated in a JavaScript eval statement. The BlackListPlugin fights spam on several fronts:

* Multiple registrations by the same IP address in rapid succession
* Multiple page saves by the same IP address in rapid succession
* Saving text with known wiki-spam (spam list is maintained and shared by TWiki, MoinMoin and Mediawiki sites)
* Attaching files with known wiki-spam
* Attaching files with JavaScript eval statements
* Manually maintained BLACKLIST of malicious IP addresses
* Automatically updated BANLIST of IP addresses with suspicious activities
* Registration form with magic number in hidden form field to make scripted registrations harder
* Add a rel="nofollow" parameter to external URLs to defeat the purpose of spamming TWiki sites

Related links on wiki spam:

* http://www.structuredwikis.com/peter_2006-08-06.html - my blog entry on wiki spam
* http://en.wikipedia.org/wiki/Link_spam - link spam info on Wikipedia
* http://en.wikipedia.org/wiki/Wikipedia:Spam - guidelines on how to address wiki spam on Wikipedia
* http://chongqed.org/fightback.html - chongqed.org, fighting wiki spam
* http://c2.com/cgi/wiki?WikiSpam - wiki spam info on Ward's original wiki
* http://www.usemod.com/cgi-bin/mb.pl?WikiSpam - wiki spam info on MeatBall wiki
* http://arch.thinkmo.de/cgi-bin/spam-merge - MoinMoin's merged spam list
* http://openwiki.com/ow.asp?WikiSpam - wiki spam info on OpenWiki
* http://spamhuntress.com/ - blog by Ann Elisabeth covering web spam

-- Peter AT StructuredWikis DOT com - http://www.structuredwikis.com/ - http://twiki.org/

Hi guys, thanks for the ideas, I've been looking into adding some more prevention methods for WikyBlog.

A couple of things I like, and were easy to implement are requiring cookies and limiting the frequency of edits made by unregistered users (idea from phpbb and configurable for the needs of each site).

Josh

* http://www.wikimatrix.org/show/WikyBlog
* http://www.wikyblog.com

The idea I have is to only ask for human verification (captcha) if the new revision submitted contains external urls the wiki hasn't seen before. So keeping trivial edits, like spell correcting, remain hassle free.